laep: efficient security mechanisms for large-scale distributed sensor networks

1

LAEP: Efficient Security LAEP: Efficient Security Mechanisms for Large-Scale Mechanisms for Large-Scale Distributed Sensor NetworksDistributed Sensor Networks

LAEP: Efficient Security LAEP: Efficient Security Mechanisms for Large-Scale Mechanisms for Large-Scale Distributed Sensor NetworksDistributed Sensor Networks

Sencun Zhu Sencun Zhu Sanjeev SetiaSanjeev SetiaSushil JajodiaSushil Jajodia

Presented by: Harel CarmitPresented by: Harel Carmit

2

Outline• Motivation• Overview• Key Establishment• Inter-node Traffic• Performance Evaluation• Security Analysis

3

Motivation • Background-

Deployment of a sensor systems in unattended and adversarial environments, requires confidentiality and authentication.Providing security is hard due to resource limitations: each node consists of 4MHz processor and 8 kb memory (hence asymmetric cryptosystems are not practical).Establishing a shared key is the main issue.

4

Motivation continue…• Solution:

Pre deployed keying.One approach – All the nodes share the same key. Low storage cost, but also low security. Second approach – Every two nodes share a different key.Ideal security, however, how many keys will we need? What about dynamic networks? Moreover, effectiveness of in-network reduced or prevented.

5

Solution – LEAPLocalized Encryption and Authentication Protocol

• A key management protocol for sensor networks.

• Supports in ‘in-network’ processing.• Provide security properties similar to the

second approach. • Support multiple keying mechanism.

Motivation- Different types of massages require different security levels.

6

Assumptions• Sensor networks are static.• The base station acting as a controller and

supplied with long-lasting power.• The sensors are similar in capabilities. • Every node has space for storing hundreds

of bytes.• The immediate neighboring are not known

in advance.• Adversary can eavesdrop all traffic, inject

packets or replay older massages.• The base station can not be compromised.

7

Design Goals• LEAP design efficient security mechanism for

supporting communication in sensor networks.

• The sensor should be robust against security attacks. The attacks impact should be minimal.

• The protocol support optimization mechanisms such as in network.

• Key establish process should minimize the computation.

8

OverviewEstablishments of four types of keys:

1. Individual key – Every node shares a unique key with the base station for secure communication such as reporting of a unexpected neighboring behavior.

2. Group key – A globally shared key that is used the base station to broadcast to the whole group, for example to issue missions, query or instructions.

3. Cluster key – A key shared by a node and all its neighbors for securing locally broadcast massages in order to save transmitions.

4. Pairwise key - A shared key by a node and each of its neighbors for secure communication such as for distribution cluster key.

9

Key EstablishmentEstablishing Individual Node Keys:

• The controller has a master key .• For each node u, its key generated and pre-

loaded prior to the node deployment.• Generating the key is as follows:

• When the controller needs to communicate with

an individual node u, it computes it on the fly.• The storage and the computational overhead

are negligible.

km

s

)(ukfk m

s

m

u Node unique ID

Pseudo random function

10

Pseudo random function

• A function from {0,1}n to {0,1}m.• A good PRF is acting as “almost”

random function. Meaning, given two strings from {0,1}m , one is completely random, and the other is an output of a PRF, the probability that an adversary will

be able to tell the different between them is negligible.

11

Key Establishment continue…

Establishing Pairwise Shared Keys:

• Assume a lower bound interval Tmin

necessary for an adversary to take control of a sensor node.

• Assume also Ttest is the time for a newly deployed node needs to discover its immediate neighbors, and Ttest < Tmin (a reasonable assumption for most sensor networks and adversaries).

12


Four steps for adding a new node-1. The controller generates an initial key kI and loads

each node with it.Each node v derives a master key

2. When u is deployed it broadcasts a “HELLO” massage.

Each neighbor v reply

3. Each side compute

4. Erasing all the master keys and kI.

)(ukfk

Iu

)(uf kvkuv

Special case – u and v added at the same time. Key is kvu if v < u.

uNonceuu , :* A random number

)|,(, : vNoncekMACvuv uvMassage authenticated code

13

• An efficient function MACk(m): {0,1}l × {0,1}* {0,1}l.

• To authenticate m, send <m,MACk(m)>

• Upon receiving <m,a>, verify that a= MACk(m).

Massage authenticated code

14


Establishing Cluster Keys:• Node u generates a random key and

encrypts it with the pairwise key of each neighbor vi.

• Node vi decrypts the massage and keeps the key.

• If one of the neighbors is revoked, node u generates a new cluster key.

iuv

c

ui kkvu )(:

kc

u

Encryption

15


Establishing Multi-hops Pairwise Shared Keys:

• Extend the circle of neighbors. Not just for immediate neighbors but also multiple hops away nodes.

• Works well only if:1. Multiple hops pairwise shared key

can be established within Tmin. 2. A node has enough memory space.What if not?

16


Establishing Two-hops Pairwise Shared

Keys: Secure against m-1 nodes corruption.

• Node u has to find by a QUERY massage, all the neighbors v1,…,vi that are common to it and the target node c.

• To establish a pairwise key S with node c, node u split S into i shares such that

• , it then forwards each ski to c through vi:

iskskskS ,...,21

).0(,}{

).0(,}{

:

:

ivic

iuvi

skkii

skkii

fskcv

fskvu

Authentication

key of ski

17


Establishing Group Keys:• A key that is shared by all the nodes in the

network. Necessary when the controller distributing a massage to all the nodes.

• Instead of using the hop-by-hop method, which is too wasteful (each node has to decrypt and encrypt the massage), the group key will be pre-load into every node.

• An important question arises: How do we securely update the key?

• Naïve approach – Use individual key. Not scalable.

• Solution – Secure Key Distribution using TESLA.

18


Authentic Node Revocation:• TESLA - broadcast authentication

protocol. Based on the use of a one-way key chain and delayed key discloser.

))0('

|,(),0('

,:*: fkfk

uMACk

uControllerMgg

T

i

New group key

To be disclosed TESLA keyThe node to be revoked

Verification key

19


Secure Key Distribution:• Organize the nodes in BFS. Each node

keep tracks with its immediate neighbors. • The new group key is distributed via

recursive process.• Each node transmit it down the tree using

its own cluster key. Hop-by-hop is not too wasteful due to the small massage – key, and the event infrequency.

• The key should update even if no revocation event occurs.

20

Inter-node Traffic Authentication:

• A mandatory requirement is that every massage must be authenticated before it is forwarded or processed.

• Authenticated scheme must be easy to compute.

• TESLA is not suitable – due to latency and storage.

• Pairwise key authentication preclude passive participation.

• Hop-by-hop authentication is possible, overhead is small because a MAC is easy to compute, but does not protect against inner

adversaries which compromise a node.

21


One–way Key Chain Based Authentication: protects against impersonation attack.

• Every key generates a one way hash key chain, then transmit the first key to each neighbor encrypted with the pairwise key. Each massage authenticate with the next key chain. The keys are disclosed reversely.

ikuvxhnviu ))(( :)( 1 ),),(1MAC( : xhnMxhnviu

Triangular inequality: |uv|<|ux|+|xv|. Adversary x can not reuse node’s u auth’ keys to impersonate u.

u

x

v

22


Probabilistic Challenge Scheme:• The following attack can not be prevented still:

an insider adversary can shield node v by letting two node transmit at the same time, and then using the key which was not received to authenticate its own message.

• Solution: challenge the authenticity of a received packet with a certain probability.

)N,C|N,MAC(KNvu uv|uvu :

),C|N,MAC(KC,Nuv vuvv :PcChallenge probability

The adversary does no know it

pc=pr/d

pr, probability that a node get challenged.

23

Performance Evaluation

(key establishment, key updating)

Computational cost:• Only consider the cost of group and

cluster keys.• Updating cluster key require to

encrypt the new one with the pairwise keys, computational depends on the neighbors number.

0

1

d

iie dS

Number of nodes being revoked.

Number of legitimate neighbors of each d0.

24



Computational cost:

For an network size N, the average number of symmetric key operations is 2se/N.

Distributing group key require 2N operations. The average cost is two operations per node.

The average number of symmetric key operations for each node is where each node’s degree is 2(d-1)2/(N-1)+2.

25



Communication Cost:• Same as computational. Group rekeying

based on logical key tree requires O(logN) communication cost. Storage Requirement:

• Each node has to keep four types of keys. For d neighbors, it has one individual key, d pairwise keys, d cluster keys and one group key.

• In addition, it keeps each neighbor commitment and its own chain key.

26



• To avoid storing the entire key chain, deploy the optimization algorithm of Coppersmith and Jakobsson to trade storage and computation cost which performs hashes per output element using memory cells.

• Total number of stored keys is: 3d+2+L.

)(log 2nO)(log 2 nO

The number of keys a node stores for its key chain.

L=20, d=20, a node stores 82 keys, totally 656 bytes when a key size is 8 bytes.

27

Security Analysis(keying mechanisms)

• Upon compromise detection, an efficient revocation takes place: update the group and cluster keys, and delete its pairwise keys from each node.

Survivability-• Obtaining Individual key does not help the

adversary to launch attacks.• Spoofing and altering massages are

difficult.

28

Security Analysis(keying mechanisms)

• Possessing the pairwise and cluster keys, allows the adversary establish false massages. The possible damage can be localized, since a node can establish trust relationships only with its neighbors.

• Possessing the group key allows the adversary reading the massages from the base station, but not to impersonating to it because of the authentication mechanism.

29

Security AnalysisDefending against various attacks on secure routing-

• Adversary tries to convince all or part of the nodes that it is their neighbor.

• Adversary replicates the compromised node and add multiple replicates into the network and try to establish pairwise keys with his so called neighbors.

• Adversary convince other nodes that they are localized in a different

distance from the base station.

30

Related Work• Stajano and Anderson proposed that bootstrap trust

relationship through physical contact.• Perrig et al present security protocols for sensor

networks like SNEP for data confidentiality and two parties data authentication and TESLA. There scheme uses base station to establish individual key.

• Zhu et al propose bootstrapping trust among mobile nodes based on TESLA and one-way hash.

• Eschenauer and Gilgor present a key management scheme for sensor networks based on probabilistic key predyployment, which was extended by Chan et al to three mechanisms for key establishment.

• Basagni et al discuss rekeying scheme for periodicity updating encryption key in a sensor network. Nodes temper free and trust each other.

31

Summery• LEAP, key management protocol

for sensor networks, provides authentication and confidentiality.

• Support in ‘in network’ processing and passive participation.

• Different types of massages require different security levels, hence four types of keys are established.